For example, a plurality of vehicle control devices is mounted on a vehicle such as a four-wheeled automobile or a motorcycle. The vehicle control device is configured of an electronic control unit (ECU). Each vehicle control device is connected to a predetermined node of a network configured in a vehicle such as a controller area network (CAN) or a local interconnect network (LIN). Each vehicle control device transmits and receives information necessary for controlling an in-vehicle device to be controlled to and from another vehicle control device. Then, the vehicle control devices communicate with each other to operate cooperatively.
A communication management device that manages communication between the vehicle control devices may be connected to the network of the vehicle. The communication management device also communicates with each vehicle control device.
In addition, in a case where a plurality of networks is configured in a vehicle, a communication management device may be connected to the plurality of networks, and vehicle control devices connected to different networks may communicate with each other via the communication management device. Specifically, upon communication between the vehicle control devices connected to different networks, the communication management device filters information received from the vehicle control device on one of the networks, and transfers the information to the vehicle control device on the other network or excludes (does not transmit) the information. In addition, in a case where a communication protocol of one network and a communication protocol of the other network differ from each other, the communication management device converts the communication protocol of information during communication between the vehicle control devices across the networks.
Filtering processing and/or communication protocol conversion processing executed by such a communication management device are collectively referred to as gateway processing. The communication management device is also configured of an ECU. The communication management device is referred to as a gateway device, a gateway ECU, a communication management ECU, or the like. In contrast, the vehicle control device is referred to as a local device, a local ECU, or the like.
There is an in-vehicle communication system having a reprogramming function of rewriting a software program of a vehicle control device without detaching the vehicle control device from a vehicle (hereinafter, “reprogramming” may be abbreviated as “repro” for the sake of convenience). Specifically, a communication port which is a communication port to an outside is provided in a network of a vehicle, a vehicle control device, or a communication management device. Then, an external device for reprogramming is connected to the communication port, the external device transmits a reprogramming request signal or data to the vehicle control device, and reprogramming of the vehicle control device is executed.
However, there is a problem that a person having an intention to perform an illicit act (hereinafter referred to as an “illicit person”) connects an illicit device to the communication port, causes the illicit device to transmit an illicit reprogramming request signal and data, and illicitly reprograms the vehicle control device. If the vehicle control device is illicitly reprogrammed, the vehicle control device or the vehicle malfunctions, and therefore there is a risk of theft or the like.
In contrast, JP 2008-276663 A discloses that when a vehicle control device receives a rewrite command, the vehicle control device inquires of a rewriting execution station whether a request signal is legitimate. The rewriting execution station is a distribution source of the request signal. When the vehicle control device inquires, the rewriting execution station searches for a rewrite command distribution history of the rewriting execution station and gives a reply to the vehicle control device, the reply indicating presence or absence of the distribution history. According to the reply, the vehicle control device determines whether or not the rewrite command is legitimate. When the vehicle control device determines that the rewrite command is not legitimate, the vehicle control device prohibits execution of reprogramming based on the rewrite command.
In addition, JP 2013-141947 A discloses that in a case where a gateway (GW)-ECU receives reprogramming data via an authorized on board diagnosis second generation (OBDII) port, the GW-ECU transfers the reprogramming data to a target ECU. In contrast, in a case where an illicit device sends illicit reprogramming data to a network of a vehicle without via the OBDII port and the GW-ECU receives the illicit reprogramming data via the network of the vehicle, the GW-ECU transmits a mandatory command to the target ECU in order to disable reception of the illicit reprogramming data.
In addition, JP 2013-141948 A discloses that when a GW-ECU receives a reprogramming request signal via a communication port, the GW-ECU collates an identification code included in the reprogramming request signal with a registration code registered in advance. If the identification code and the registration code match, the GW-ECU transfers the reprogramming request signal to a target vehicle control device. If the identification code and the registration code do not match, the GW-ECU prohibits transfer of the reprogramming request signal only for a predetermined period.
According to the known techniques, for example, in a case where an illicit person uses an illicit device to transmit false information to a vehicle control device, the false information indicating that there is a reprogramming request signal distribution history, or the like, illicit reprogramming of the vehicle control device cannot be prevented. In addition, also in a case where an illicit person connects an illicit device to an authorized communication port such as an OBDII port, illicit reprogramming of the vehicle control device cannot be prevented. Furthermore, also in a case where an illicit person steals authentication information such as an authentication code included in an authorized reprogramming request signal and the authentication information is included in an illicit request signal, illicit reprogramming of the vehicle control device cannot be prevented.